Geek Answers Handbook

Can I get an image digest without uploading an image?

Like the question β€œ What is the docker image sha256 code ? , I would like to find a Docker image digest. I can see the digest when loading the image:

$ docker pull waisbrot/wait:latest latest: Pulling from waisbrot/wait Digest: sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330 Status: Image is up to date for waisbrot/wait:latest $

Another question, What is the endpoint of the Docker API registries for getting a digest for an image , is the answer offering the Docker-Content-Digest header.

I see that there is a Docker-Content-Digest header when I retrieve the manifest for the image:

 $ curl 'https://auth.docker.io/token?service=registry.docker.io&scope=repository:waisbrot/wait:pull' -H "Authorization: Basic ${username_password_base64}" # store the resulting token in DT $ curl -v https://registry-1.docker.io/v2/waisbrot/wait/manifests/latest -H "Authorization: Bearer $DT" -XHEAD * Trying 52.7.141.30... * Connected to registry-1.docker.io (52.7.141.30) port 443 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: *.docker.io * Server certificate: RapidSSL SHA256 CA - G3 * Server certificate: GeoTrust Global CA > GET /v2/waisbrot/wait/manifests/latest HTTP/1.1 > Host: registry-1.docker.io > User-Agent: curl/7.43.0 > Accept: */* > Authorization: Bearer LtVRw-etc-etc-etc > < HTTP/1.1 200 OK < Content-Length: 4974 < Content-Type: application/vnd.docker.distribution.manifest.v1+prettyjws < Docker-Content-Digest: sha256:128c6e3534b842a2eec139999b8ce8aa9a2af9907e2b9269550809d18cd832a3 < Docker-Distribution-Api-Version: registry/2.0 < Etag: "sha256:128c6e3534b842a2eec139999b8ce8aa9a2af9907e2b9269550809d18cd832a3" < Date: Wed, 07 Sep 2016 16:37:15 GMT < Strict-Transport-Security: max-age=31536000

However, this title is not the same. The pull command got me 6f21 , and the title 128c shows 128c . In addition, the pull command does not work for this digest:

 $ docker pull waisbrot/ wait@sha256 :128c6e3534b842a2eec139999b8ce8aa9a2af9907e2b9269550809d18cd832a3 Error response from daemon: manifest unknown: manifest unknown

while everything works the way I want when I have the correct digest:

 $ docker pull waisbrot/ wait@sha256 :6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330 12:46 waisbrot@influenza sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330: Pulling from waisbrot/wait Digest: sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330 Status: Image is up to date for waisbrot/ wait@sha256 :6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330

I'm looking for a way to convert the latest tag (which changes all the time) to a fixed digest that I can reliably pull out. But I don’t really want to pull it to make this translation.

+8
source share
4 answers

Try

 $ curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" 'https://auth.docker.io/token?service=registry.docker.io&scope=repository:waisbrot/wait:pull' -H "Authorization: Basic ${username_password_base64}"

References: This forum link discusses the same issue.

The problem is that the default content type selected by the server is application/vnd.docker.distribution.manifest.v1+prettyjws (manifest v1) and you need to manifest v2. So you need to set the Accept header to application/vnd.docker.distribution.manifest.v2+json .

+11
source

I understand that this problem was answered, but either I missed something, or the current version of the AWS ECR registry service is not working properly.

When I try to get a digest from AWS ECR using any of the HEADs, and when I try to switch the content type, it does not return the digest value that I can use to pull the image using the Api registry.

To get this digest, you need to get the manifest for the tag of interest and calculate the sha256 of the Json response as is, including formatting, without a signature section

0
source

Following the suggestion of ByteFlinger, which had no example, I tried this, and here is how to calculate it:

 $ docker-ls tag -registry https://myregistry.net:5000 spicysomtam/zookeeper:latest requesting manifest . done repository: spicysomtam/zookeeper tagName: latest digest: sha256:bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036 $ curl -ns -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET https://myregistry.net:5000/v2/spicysomtam/zookeeper/manifests/latest|sha256sum bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036 - $ docker images --digests |grep zookeeper myregistry.net:5000/spicysomtam/zookeeper latest sha256:bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036 a983e71ca22d 29 hours ago 584MB
0
source

You can get this with docker inspect :

docker inspect --format='{{index.RepoDigests 0}}' ${IMAGE_NAME}

Docs: https://docs.docker.com/engine/reference/commandline/inspect/

It was in place at least v1.9.

0
source

More articles:


All Articles